CUCM Authentication on INVITE

jmunoz19 · ‎10-01-2013

We have a requirement to have CUCM challenge for authentication when it receives an invite from a SIP 3rd Party Device. Apparently, this functionality is available on other PBXs. How do we configure it on CUCM?

Thanks!

Jeff

Chris Deren · ‎10-01-2013

Jeff,

This is not available in CUCM, you need to include CUBE in the path. One of the drawbacks of direct SIP trunk to CUCM. All Cisco deployments strongly recommend CUBE.

HTH,

Chris

Jonathan Schulenberg · ‎10-02-2013

This is that rare situation where I have to disagree with Chris. CUCM supports DIGEST Authentication - as the challenging party - on both the line and trunk side. It does not support replying to a DIGEST challenge though; for that you do need CUBE. This behavior is driven by the Security Profile assigned to the device/trunk. You can actually see an example of this in the Unity Connection Configuration guide where "with authentication" is one of the choose-your-own-adventure paths you can take.

Based on the phrase "3rd Party Device" (i.e. not trunk), I'm guessing you mean a phone/endpoint here. Copy the default security profile for 3rd party basic/advanced, require authentication, create an end user and set the DIGEST Password on it, then set that as the DIGEST User on the device.

Just be advised that the password is only protected by an MD5 hash within the SIP traffic so it's not secure from man-in-the-middle attacks unless you layer TLS on top of it.

Please remember to rate helpful responses and identify helpful or correct answers.